35 matches found
Five Malicious Chrome Extensions Impersonate Workday and NetSuite to Hijack Accounts
Cybersecurity researchers have discovered five new malicious Google Chrome web browser extensions that masquerade as human resources HR and enterprise resource planning ERP platforms like Workday, NetSuite, and SuccessFactors to take control of victim accounts. "The extensions work in concert to...
SEO spam and hidden links: how to protect your website and your reputation
When analyzing the content of websites in an attempt to determine what category it belongs to, we sometimes get an utterly unexpected result. It could be the official page of a metal structures manufacturer or online flower shop, or, say, a law firm website, with completely neutral content, but o...
EUVD-2018-3161
Malware in sbrugna...
CVE-2024-37051
GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2; DataGrip 2023.1.3, 2023.2.4, 2023.3.5,...
GHSA-48CQ-79QQ-6F7X Gradio applications running locally vulnerable to 3rd party websites accessing routes and uploading files
Impact This CVE covers the ability of 3rd party websites to access routes and upload files to users running Gradio applications locally. For example, the malicious owners of www.dontvisitme.com could put a script on their website that uploads a large file to http://localhost:7860/upload and anyon...
MTN Group: Unauthorized access to PII leads to Administrator account Takeover
The vulnerability arises from insufficient restrictions placed on the list of post authors, which could be exploited by remote attackers to obtain sensitive information through wp/v2/users/15 requests. The sensitive information, including email addresses, could be obtained and used in further...
Publitas: CORS Misconfiguration on █████
A cross-origin resource sharing misconfiguration was found that could allow an attacker to steal sensitive user information or force unwanted actions. The misconfiguration allowed credentials and enabled CORS for external domains. A proof of concept was shown that could exploit this to exfiltrate...
CVE-2023-45143
Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in...
SUSE CVE-2018-5115
If an HTTP authentication prompt is triggered by a background network request from a page or extension, it is displayed over the currently loaded foreground page. Although the prompt contains the real domain making the request, this can result in user confusion about the originating site of the...
SUSE CVE-2021-43540
WebExtensions with the correct permissions were able to create and install ServiceWorkers for third-party websites that would not have been uninstalled with the extension. This vulnerability affects Firefox 95...
Radancy: Cross-origin resource sharing: arbitrary origin trusted
referred from CWE-942: Permissive Cross-domain Policy with Untrusted Domains Issue detail The application implements an HTML5 cross-origin resource sharing CORS policy for this request that allows access from any domain. The application allowed access from the requested origin https://example.com...
Server side request forgery (ssrf)
The Craw Data WordPress plugin through 1.0.0 does not implement nonce checks, which could allow attackers to make a logged in admin change the url value performing unwanted crawls on third-party sites SSRF...
CVE-2022-2912 Craw Data <= 1.0.0 - Server Side Request Forgery
The Craw Data WordPress plugin through 1.0.0 does not implement nonce checks, which could allow attackers to make a logged in admin change the url value performing unwanted crawls on third-party sites SSRF...
Roblox Beamers steal items from kids
Roblox gamers are once again being warned to be on their guard against scammers plundering valuable digital items. Most multiplayer titles are all about customization. You won’t find many popular games where digital items aren’t up for grabs. Some games lock the items, such as outfits, weapons, o...
CVE-2021-43540
WebExtensions with the correct permissions were able to create and install ServiceWorkers for third-party websites that would not have been uninstalled with the extension. This vulnerability affects Firefox 95...
UBUNTU-CVE-2021-43540
WebExtensions with the correct permissions were able to create and install ServiceWorkers for third-party websites that would not have been uninstalled with the extension. This vulnerability affects Firefox 95...
Facebook Is Down
Facebook -- along with Instagram and WhatsApp -- went down globally today. Basically, someone deleted their BGP records, which made their DNS fall apart. …at approximately 11:39 a.m. ET today 15:39 UTC, someone at Facebook caused an update to be made to the companys Border Gateway Protocol BGP...
Open Redirection
notebook is vulnerable to open redirection. An attacker may send a malicious link to a notebook server resulting in a redirection of users to third-party sites...
Sudomy - Subdomain Enumeration & Analysis
Sudomy is a subdomain enumeration tool, created using a bash script, to analyze domains and collect subdomains in fast and comprehensive way. Features For recent time,Sudomy has these 9 features: Easy, light, fast and powerful. Bash script is available by default in almost all Linux distributions...
WordPress iOS App Bug Leaked Secret Access Tokens to Third-Party Sites
If you have a "private" blog with WordPress.com and are using its official iOS app to create or edit posts and pages, the secret authentication token for your admin account might have accidentally been leaked to third-party websites. WordPress has recently patched a severe vulnerability in its iO...